Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 34 replies
  • Subscribers 31 subscribers
  • Views 15144 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG firewall migration to 18 : probably a BUG

Giorgio Premoli1

Here, the results of my trials:

I have at home an XG HOME firewall running the version 17.5.10-MR 10; I created and downloaded a backup file

When I tried to upgrade to the firmware version 18, the firewall restarted with the default configuration (Ver.18.0.0.GA running, but just the administrator password set, all other settings have been deleted -no users, no interfaces, no zones, no rules, etc.)

I have also a new XG115 to be prepared/configured for a customer of mine; I registered it, configured it for basic functions and I updated it to the latest firmware version shown (17.5.10-MR10); I also downloaded, from the Sophos site, the related new firmware version 17.5.11-MR11 and 18.0.0 GA Build 354-SF300); after, I configured it for customer environment (LAN IP address, WAN configuration, rules, hosts, etc.); at the end, I created and downloaded the configuration backup.

I tried to RESTORE, successfully, my Sophos XG Home configuration on customer’s XG

I tried to upgrade the firmware to version 18 and it started with the DEFAULT FACTORY configuration (Administrator password remained set)

I also tried to RESTORE the XG HOME configuration backup on version 18, but it didn’t work (I was able to restore, but, at the restart, it was still with the default factory configuration)

So I rollback the firewall, loading the other firmware image directly via GUI, and the configuration was back (and running, but on firmware 17.5.10-MR10)

Then I RESTORED the customer configuration, just created, on version/image 17.5.10-MR10 and it was OK; I updated the firmware version to the 18 and it was OK

I rolled back (boot) again to the version 17.5.10 using the second image on firewall, I RESTORED the XG HOME configuration and I tried to upgrade the firmware version to 17.5.11-MR11 just downloaded on the Sophos site, and IT WORKED WELL; it restarted with the firmware version 17.5.11-MR11 with the correct configuration.

So, I tried to UPGRADE (and boot) to the firmware version 18 and the firewall/GUI showed a message saying “It will restart with the default configuration, do you want to proceed?”

 

CONCLUSION:

The configuration of XG HOME firewall runs perfectly on version 17.5.10 and 17.5.11 (both on XG HOME device and on XG115 device), but cannot be migrated to the version18; I think there is something in these settings which the UPGRADE of firmware version 18 is NOT ABLE to RUN; in other words, the firmware 18 is NOT ABLE to migrate all parameters set and so it starts on factory default settings; migrating from the version 17.5.11-MR11, the issue persists, but is shown a message.

 

Is there a way to debug/understand why (or which part of configurtion)?

 

Many thanks in advance and best Regards  

Giorgio



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Giorgio Premoli1

    Hi  

    Thank you for the service request number.

  • 0 in reply to Giorgio Premoli1

    The Flag is not there anymore. It was deleted and replaced by the option to self create the mapped Port option. 

    I guess, if you would delete both business application rules, the problem disappears. 

    Try to clone them and delete the old Rules. 

  • 0 in reply to LuCar Toni

    Hi LuCar,

    I'll try to do what you suggested and I'll keep you updated

    Yesterday I sent to Sophos Engineers the configuration backup file taht failed the migration; this morning I received an SMS by Sophos annuncing tha the rel. 18.0.1_MR1 (HW-18.0.1_MR-1.SF300-367.sig) has been released (already downloaded from MYID Sophos site), so I'll try as first what you suggested and after the "direct" migration to 18 MR1.

    Of course, after, I'll keep you updated and informed about that.

    Regards

  • 0 in reply to Giorgio Premoli1

    Hi,

    I have just finished other trials:

    - I tried to clone all the business rules and I deleted the old ones; I tried to upgrade to 18.0.0 GA, but unsuccessfully

    - So, rolled back to 17.5.10-MR10 and I tried to upgrade to ver. 18.0.1-MR1, but it still fails (I checked the migration.log file, but the error is still the same as previous posts)

  • 0 in reply to Giorgio Premoli1

    Do not install MR1.  Traffic jams.  v18 354 is the only v18 version reliable for now.

    Paul Jr

  • 0 in reply to Big_Buck

    Thanks Big_Buck,

    Just a trial because the v18 354 doesn't work with this config. But there is opened an official support case and I know the Sophos Engineers are already working about it.

    Many thanks again.

  • 0 in reply to Giorgio Premoli1

    Assuming the issue is in the database and your Configuration is older, this needs to be investigated by a Support engineer. 

    Lets wait for the Feedback but it is not a general issue.

  • 0 in reply to LuCar Toni
    Hi LuCar,

    I totally agree with you, we have to wait for an answer by engineers team
    But, what do you mean for "is not a general issue" or "older configuration"? We are speaking of migration, not about new installation/configuration.

    This is not an "old configuration"; it is a current configuration running on a current XG115 device with firmware version 17.5.10-MR10! Mostly, it was THE FIRST firewall configuration that I tried to migrate, and it means that the migration process to version 18 is not 100% secure, not so ready to be sure that all configurations can be migrated yet.
    Honestly, I'm quite worried for that
    I'm not going to make "dangerous experiments" on my customers' skin and on their mission-critical firewalls. And not at all, I'm going to rewrite every single configuration manually on the new firmware version. Until the migration process is not totally safe, I will not migrate any of my customers' firewalls.
    For that, I'm putting all my effort making tests and trials in order to help or put in evidence critical situations.

    Since I have an updated configuration backup of each of my clients, in the next days, where possible (for hardware requirements), I will test the import process on version 18 of all the running configurations, hoping to not find other situations so bad (and, as you can easy understand, it isn't a fast work to do and it will be really time-expensive -we are speaking of an amount of more than 40 customers, minimum...)

    As you can see (in post statistics), another user has already the same problem .... probably the migration process works quite well, but not entirely.

    Of course, if any other configuration will fail, I'll send it to the customer support /engineers team and I am very optimistic that they will find the solution early.
    I really want to try/test the new version 18 that seems to be really great, but, on the other side, I cannot risck to stop/loose my customers

    Sincerly yours,
    Giorgio
     
     
  • 0 in reply to Giorgio Premoli1

    Just to be clear: This configuration of yours, which is not getting migrated, how old is the backup? 

    I am not talking about the current Software version or something like that. How old is the Backup? Or to rephrase this question, how long is this customer using XG? 

     

    There are many installation already on V18 and we found rare cases, which could not migrate. 

  • 0 in reply to LuCar Toni

    Hi dear LuCar,

    the backup is extremly recent, of course; let's say the same day I opened the question; but also the configuration is not "hystorical", it has been created on the second half of 2019; anyway, this is an active configuration, changed each time as new need arrives or is required. I understand what you mean, but each my customers' configuration is not "old", but mostly each of them is "alive", not only it is running today, but also because in each configuration have dinamically added new items, or deleted what is no longer needed; in other words, also if the first configuration has been created 1 year ago -or more, for some customers-, this configuration is alive and updated. If I have to create it from the beginning, I'll create exactly all as it is now.

    I can understand what you mean for "old" and is difficult for anyone to say "I'm sure, there isn't any 'not still used' parameter" (like Hosts or IPes, rules, etc.), "the configuration is clean and it doesn't contain any unused object brought by previous release versions", but is also true that all them are running on version 17.5 (also if they started in version 16 or older), but no longer on v.18

    I well understand that the (retro) compatibility is a big issue that requires an enormous debugging-work, but is totally unthinkable to rewrite from the beginning all the running configurations because otherwise the ver.18 doesn't support them (or what was accepted and running on 17.5.10); that means to not migrate anything

    My best Regards

    Giorgio